PostgreSQL Source Code  git master
user.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * user.c
4  * Commands for manipulating roles (formerly called users).
5  *
6  * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
7  * Portions Copyright (c) 1994, Regents of the University of California
8  *
9  * src/backend/commands/user.c
10  *
11  *-------------------------------------------------------------------------
12  */
13 #include "postgres.h"
14 
15 #include "access/genam.h"
16 #include "access/htup_details.h"
17 #include "access/table.h"
18 #include "access/xact.h"
19 #include "catalog/binary_upgrade.h"
20 #include "catalog/catalog.h"
21 #include "catalog/dependency.h"
22 #include "catalog/indexing.h"
23 #include "catalog/objectaccess.h"
25 #include "catalog/pg_authid.h"
26 #include "catalog/pg_database.h"
28 #include "commands/comment.h"
29 #include "commands/dbcommands.h"
30 #include "commands/seclabel.h"
31 #include "commands/user.h"
32 #include "libpq/crypt.h"
33 #include "miscadmin.h"
34 #include "storage/lmgr.h"
35 #include "utils/acl.h"
36 #include "utils/builtins.h"
37 #include "utils/fmgroids.h"
38 #include "utils/syscache.h"
39 #include "utils/timestamp.h"
40 
41 /* Potentially set by pg_upgrade_support functions */
43 
44 
45 /* GUC parameter */
47 
48 /* Hook to check passwords in CreateRole() and AlterRole() */
50 
51 static void AddRoleMems(const char *rolename, Oid roleid,
52  List *memberSpecs, List *memberIds,
53  Oid grantorId, bool admin_opt);
54 static void DelRoleMems(const char *rolename, Oid roleid,
55  List *memberSpecs, List *memberIds,
56  bool admin_opt);
57 
58 
59 /* Check if current user has createrole privileges */
60 static bool
62 {
64 }
65 
66 
67 /*
68  * CREATE ROLE
69  */
70 Oid
72 {
73  Relation pg_authid_rel;
74  TupleDesc pg_authid_dsc;
75  HeapTuple tuple;
76  Datum new_record[Natts_pg_authid];
77  bool new_record_nulls[Natts_pg_authid];
78  Oid roleid;
79  ListCell *item;
81  char *password = NULL; /* user password */
82  bool issuper = false; /* Make the user a superuser? */
83  bool inherit = true; /* Auto inherit privileges? */
84  bool createrole = false; /* Can this user create roles? */
85  bool createdb = false; /* Can the user create databases? */
86  bool canlogin = false; /* Can this user login? */
87  bool isreplication = false; /* Is this a replication role? */
88  bool bypassrls = false; /* Is this a row security enabled role? */
89  int connlimit = -1; /* maximum connections allowed */
90  List *addroleto = NIL; /* roles to make this a member of */
91  List *rolemembers = NIL; /* roles to be members of this role */
92  List *adminmembers = NIL; /* roles to be admins of this role */
93  char *validUntil = NULL; /* time the login is valid until */
94  Datum validUntil_datum; /* same, as timestamptz Datum */
95  bool validUntil_null;
96  DefElem *dpassword = NULL;
97  DefElem *dissuper = NULL;
98  DefElem *dinherit = NULL;
99  DefElem *dcreaterole = NULL;
100  DefElem *dcreatedb = NULL;
101  DefElem *dcanlogin = NULL;
102  DefElem *disreplication = NULL;
103  DefElem *dconnlimit = NULL;
104  DefElem *daddroleto = NULL;
105  DefElem *drolemembers = NULL;
106  DefElem *dadminmembers = NULL;
107  DefElem *dvalidUntil = NULL;
108  DefElem *dbypassRLS = NULL;
109 
110  /* The defaults can vary depending on the original statement type */
111  switch (stmt->stmt_type)
112  {
113  case ROLESTMT_ROLE:
114  break;
115  case ROLESTMT_USER:
116  canlogin = true;
117  /* may eventually want inherit to default to false here */
118  break;
119  case ROLESTMT_GROUP:
120  break;
121  }
122 
123  /* Extract options from the statement node tree */
124  foreach(option, stmt->options)
125  {
126  DefElem *defel = (DefElem *) lfirst(option);
127 
128  if (strcmp(defel->defname, "password") == 0)
129  {
130  if (dpassword)
131  ereport(ERROR,
132  (errcode(ERRCODE_SYNTAX_ERROR),
133  errmsg("conflicting or redundant options"),
134  parser_errposition(pstate, defel->location)));
135  dpassword = defel;
136  }
137  else if (strcmp(defel->defname, "sysid") == 0)
138  {
139  ereport(NOTICE,
140  (errmsg("SYSID can no longer be specified")));
141  }
142  else if (strcmp(defel->defname, "superuser") == 0)
143  {
144  if (dissuper)
145  ereport(ERROR,
146  (errcode(ERRCODE_SYNTAX_ERROR),
147  errmsg("conflicting or redundant options"),
148  parser_errposition(pstate, defel->location)));
149  dissuper = defel;
150  }
151  else if (strcmp(defel->defname, "inherit") == 0)
152  {
153  if (dinherit)
154  ereport(ERROR,
155  (errcode(ERRCODE_SYNTAX_ERROR),
156  errmsg("conflicting or redundant options"),
157  parser_errposition(pstate, defel->location)));
158  dinherit = defel;
159  }
160  else if (strcmp(defel->defname, "createrole") == 0)
161  {
162  if (dcreaterole)
163  ereport(ERROR,
164  (errcode(ERRCODE_SYNTAX_ERROR),
165  errmsg("conflicting or redundant options"),
166  parser_errposition(pstate, defel->location)));
167  dcreaterole = defel;
168  }
169  else if (strcmp(defel->defname, "createdb") == 0)
170  {
171  if (dcreatedb)
172  ereport(ERROR,
173  (errcode(ERRCODE_SYNTAX_ERROR),
174  errmsg("conflicting or redundant options"),
175  parser_errposition(pstate, defel->location)));
176  dcreatedb = defel;
177  }
178  else if (strcmp(defel->defname, "canlogin") == 0)
179  {
180  if (dcanlogin)
181  ereport(ERROR,
182  (errcode(ERRCODE_SYNTAX_ERROR),
183  errmsg("conflicting or redundant options"),
184  parser_errposition(pstate, defel->location)));
185  dcanlogin = defel;
186  }
187  else if (strcmp(defel->defname, "isreplication") == 0)
188  {
189  if (disreplication)
190  ereport(ERROR,
191  (errcode(ERRCODE_SYNTAX_ERROR),
192  errmsg("conflicting or redundant options"),
193  parser_errposition(pstate, defel->location)));
194  disreplication = defel;
195  }
196  else if (strcmp(defel->defname, "connectionlimit") == 0)
197  {
198  if (dconnlimit)
199  ereport(ERROR,
200  (errcode(ERRCODE_SYNTAX_ERROR),
201  errmsg("conflicting or redundant options"),
202  parser_errposition(pstate, defel->location)));
203  dconnlimit = defel;
204  }
205  else if (strcmp(defel->defname, "addroleto") == 0)
206  {
207  if (daddroleto)
208  ereport(ERROR,
209  (errcode(ERRCODE_SYNTAX_ERROR),
210  errmsg("conflicting or redundant options"),
211  parser_errposition(pstate, defel->location)));
212  daddroleto = defel;
213  }
214  else if (strcmp(defel->defname, "rolemembers") == 0)
215  {
216  if (drolemembers)
217  ereport(ERROR,
218  (errcode(ERRCODE_SYNTAX_ERROR),
219  errmsg("conflicting or redundant options"),
220  parser_errposition(pstate, defel->location)));
221  drolemembers = defel;
222  }
223  else if (strcmp(defel->defname, "adminmembers") == 0)
224  {
225  if (dadminmembers)
226  ereport(ERROR,
227  (errcode(ERRCODE_SYNTAX_ERROR),
228  errmsg("conflicting or redundant options"),
229  parser_errposition(pstate, defel->location)));
230  dadminmembers = defel;
231  }
232  else if (strcmp(defel->defname, "validUntil") == 0)
233  {
234  if (dvalidUntil)
235  ereport(ERROR,
236  (errcode(ERRCODE_SYNTAX_ERROR),
237  errmsg("conflicting or redundant options"),
238  parser_errposition(pstate, defel->location)));
239  dvalidUntil = defel;
240  }
241  else if (strcmp(defel->defname, "bypassrls") == 0)
242  {
243  if (dbypassRLS)
244  ereport(ERROR,
245  (errcode(ERRCODE_SYNTAX_ERROR),
246  errmsg("conflicting or redundant options"),
247  parser_errposition(pstate, defel->location)));
248  dbypassRLS = defel;
249  }
250  else
251  elog(ERROR, "option \"%s\" not recognized",
252  defel->defname);
253  }
254 
255  if (dpassword && dpassword->arg)
256  password = strVal(dpassword->arg);
257  if (dissuper)
258  issuper = intVal(dissuper->arg) != 0;
259  if (dinherit)
260  inherit = intVal(dinherit->arg) != 0;
261  if (dcreaterole)
262  createrole = intVal(dcreaterole->arg) != 0;
263  if (dcreatedb)
264  createdb = intVal(dcreatedb->arg) != 0;
265  if (dcanlogin)
266  canlogin = intVal(dcanlogin->arg) != 0;
267  if (disreplication)
268  isreplication = intVal(disreplication->arg) != 0;
269  if (dconnlimit)
270  {
271  connlimit = intVal(dconnlimit->arg);
272  if (connlimit < -1)
273  ereport(ERROR,
274  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
275  errmsg("invalid connection limit: %d", connlimit)));
276  }
277  if (daddroleto)
278  addroleto = (List *) daddroleto->arg;
279  if (drolemembers)
280  rolemembers = (List *) drolemembers->arg;
281  if (dadminmembers)
282  adminmembers = (List *) dadminmembers->arg;
283  if (dvalidUntil)
284  validUntil = strVal(dvalidUntil->arg);
285  if (dbypassRLS)
286  bypassrls = intVal(dbypassRLS->arg) != 0;
287 
288  /* Check some permissions first */
289  if (issuper)
290  {
291  if (!superuser())
292  ereport(ERROR,
293  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
294  errmsg("must be superuser to create superusers")));
295  }
296  else if (isreplication)
297  {
298  if (!superuser())
299  ereport(ERROR,
300  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
301  errmsg("must be superuser to create replication users")));
302  }
303  else if (bypassrls)
304  {
305  if (!superuser())
306  ereport(ERROR,
307  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
308  errmsg("must be superuser to change bypassrls attribute")));
309  }
310  else
311  {
313  ereport(ERROR,
314  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
315  errmsg("permission denied to create role")));
316  }
317 
318  /*
319  * Check that the user is not trying to create a role in the reserved
320  * "pg_" namespace.
321  */
322  if (IsReservedName(stmt->role))
323  ereport(ERROR,
324  (errcode(ERRCODE_RESERVED_NAME),
325  errmsg("role name \"%s\" is reserved",
326  stmt->role),
327  errdetail("Role names starting with \"pg_\" are reserved.")));
328 
329  /*
330  * If built with appropriate switch, whine when regression-testing
331  * conventions for role names are violated.
332  */
333 #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
334  if (strncmp(stmt->role, "regress_", 8) != 0)
335  elog(WARNING, "roles created by regression test cases should have names starting with \"regress_\"");
336 #endif
337 
338  /*
339  * Check the pg_authid relation to be certain the role doesn't already
340  * exist.
341  */
342  pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
343  pg_authid_dsc = RelationGetDescr(pg_authid_rel);
344 
345  if (OidIsValid(get_role_oid(stmt->role, true)))
346  ereport(ERROR,
348  errmsg("role \"%s\" already exists",
349  stmt->role)));
350 
351  /* Convert validuntil to internal form */
352  if (validUntil)
353  {
354  validUntil_datum = DirectFunctionCall3(timestamptz_in,
355  CStringGetDatum(validUntil),
357  Int32GetDatum(-1));
358  validUntil_null = false;
359  }
360  else
361  {
362  validUntil_datum = (Datum) 0;
363  validUntil_null = true;
364  }
365 
366  /*
367  * Call the password checking hook if there is one defined
368  */
369  if (check_password_hook && password)
370  (*check_password_hook) (stmt->role,
371  password,
372  get_password_type(password),
373  validUntil_datum,
374  validUntil_null);
375 
376  /*
377  * Build a tuple to insert
378  */
379  MemSet(new_record, 0, sizeof(new_record));
380  MemSet(new_record_nulls, false, sizeof(new_record_nulls));
381 
382  new_record[Anum_pg_authid_rolname - 1] =
384 
385  new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
386  new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
387  new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
388  new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
389  new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin);
390  new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication);
391  new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
392 
393  if (password)
394  {
395  char *shadow_pass;
396  char *logdetail;
397 
398  /*
399  * Don't allow an empty password. Libpq treats an empty password the
400  * same as no password at all, and won't even try to authenticate. But
401  * other clients might, so allowing it would be confusing. By clearing
402  * the password when an empty string is specified, the account is
403  * consistently locked for all clients.
404  *
405  * Note that this only covers passwords stored in the database itself.
406  * There are also checks in the authentication code, to forbid an
407  * empty password from being used with authentication methods that
408  * fetch the password from an external system, like LDAP or PAM.
409  */
410  if (password[0] == '\0' ||
411  plain_crypt_verify(stmt->role, password, "", &logdetail) == STATUS_OK)
412  {
413  ereport(NOTICE,
414  (errmsg("empty string is not a valid password, clearing password")));
415  new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
416  }
417  else
418  {
419  /* Encrypt the password to the requested format. */
420  shadow_pass = encrypt_password(Password_encryption, stmt->role,
421  password);
422  new_record[Anum_pg_authid_rolpassword - 1] =
423  CStringGetTextDatum(shadow_pass);
424  }
425  }
426  else
427  new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
428 
429  new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
430  new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
431 
432  new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(bypassrls);
433 
434  /*
435  * pg_largeobject_metadata contains pg_authid.oid's, so we use the
436  * binary-upgrade override.
437  */
438  if (IsBinaryUpgrade)
439  {
441  ereport(ERROR,
442  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
443  errmsg("pg_authid OID value not set when in binary upgrade mode")));
444 
447  }
448  else
449  {
450  roleid = GetNewOidWithIndex(pg_authid_rel, AuthIdOidIndexId,
451  Anum_pg_authid_oid);
452  }
453 
454  new_record[Anum_pg_authid_oid - 1] = ObjectIdGetDatum(roleid);
455 
456  tuple = heap_form_tuple(pg_authid_dsc, new_record, new_record_nulls);
457 
458  /*
459  * Insert new record in the pg_authid table
460  */
461  CatalogTupleInsert(pg_authid_rel, tuple);
462 
463  /*
464  * Advance command counter so we can see new record; else tests in
465  * AddRoleMems may fail.
466  */
467  if (addroleto || adminmembers || rolemembers)
469 
470  /*
471  * Add the new role to the specified existing roles.
472  */
473  if (addroleto)
474  {
475  RoleSpec *thisrole = makeNode(RoleSpec);
476  List *thisrole_list = list_make1(thisrole);
477  List *thisrole_oidlist = list_make1_oid(roleid);
478 
479  thisrole->roletype = ROLESPEC_CSTRING;
480  thisrole->rolename = stmt->role;
481  thisrole->location = -1;
482 
483  foreach(item, addroleto)
484  {
485  RoleSpec *oldrole = lfirst(item);
486  HeapTuple oldroletup = get_rolespec_tuple(oldrole);
487  Form_pg_authid oldroleform = (Form_pg_authid) GETSTRUCT(oldroletup);
488  Oid oldroleid = oldroleform->oid;
489  char *oldrolename = NameStr(oldroleform->rolname);
490 
491  AddRoleMems(oldrolename, oldroleid,
492  thisrole_list,
493  thisrole_oidlist,
494  GetUserId(), false);
495 
496  ReleaseSysCache(oldroletup);
497  }
498  }
499 
500  /*
501  * Add the specified members to this new role. adminmembers get the admin
502  * option, rolemembers don't.
503  */
504  AddRoleMems(stmt->role, roleid,
505  adminmembers, roleSpecsToIds(adminmembers),
506  GetUserId(), true);
507  AddRoleMems(stmt->role, roleid,
508  rolemembers, roleSpecsToIds(rolemembers),
509  GetUserId(), false);
510 
511  /* Post creation hook for new role */
512  InvokeObjectPostCreateHook(AuthIdRelationId, roleid, 0);
513 
514  /*
515  * Close pg_authid, but keep lock till commit.
516  */
517  table_close(pg_authid_rel, NoLock);
518 
519  return roleid;
520 }
521 
522 
523 /*
524  * ALTER ROLE
525  *
526  * Note: the rolemembers option accepted here is intended to support the
527  * backwards-compatible ALTER GROUP syntax. Although it will work to say
528  * "ALTER ROLE role ROLE rolenames", we don't document it.
529  */
530 Oid
532 {
533  Datum new_record[Natts_pg_authid];
534  bool new_record_nulls[Natts_pg_authid];
535  bool new_record_repl[Natts_pg_authid];
536  Relation pg_authid_rel;
537  TupleDesc pg_authid_dsc;
538  HeapTuple tuple,
539  new_tuple;
540  Form_pg_authid authform;
541  ListCell *option;
542  char *rolename = NULL;
543  char *password = NULL; /* user password */
544  int issuper = -1; /* Make the user a superuser? */
545  int inherit = -1; /* Auto inherit privileges? */
546  int createrole = -1; /* Can this user create roles? */
547  int createdb = -1; /* Can the user create databases? */
548  int canlogin = -1; /* Can this user login? */
549  int isreplication = -1; /* Is this a replication role? */
550  int connlimit = -1; /* maximum connections allowed */
551  List *rolemembers = NIL; /* roles to be added/removed */
552  char *validUntil = NULL; /* time the login is valid until */
553  Datum validUntil_datum; /* same, as timestamptz Datum */
554  bool validUntil_null;
555  int bypassrls = -1;
556  DefElem *dpassword = NULL;
557  DefElem *dissuper = NULL;
558  DefElem *dinherit = NULL;
559  DefElem *dcreaterole = NULL;
560  DefElem *dcreatedb = NULL;
561  DefElem *dcanlogin = NULL;
562  DefElem *disreplication = NULL;
563  DefElem *dconnlimit = NULL;
564  DefElem *drolemembers = NULL;
565  DefElem *dvalidUntil = NULL;
566  DefElem *dbypassRLS = NULL;
567  Oid roleid;
568 
570  "Cannot alter reserved roles.");
571 
572  /* Extract options from the statement node tree */
573  foreach(option, stmt->options)
574  {
575  DefElem *defel = (DefElem *) lfirst(option);
576 
577  if (strcmp(defel->defname, "password") == 0)
578  {
579  if (dpassword)
580  ereport(ERROR,
581  (errcode(ERRCODE_SYNTAX_ERROR),
582  errmsg("conflicting or redundant options")));
583  dpassword = defel;
584  }
585  else if (strcmp(defel->defname, "superuser") == 0)
586  {
587  if (dissuper)
588  ereport(ERROR,
589  (errcode(ERRCODE_SYNTAX_ERROR),
590  errmsg("conflicting or redundant options")));
591  dissuper = defel;
592  }
593  else if (strcmp(defel->defname, "inherit") == 0)
594  {
595  if (dinherit)
596  ereport(ERROR,
597  (errcode(ERRCODE_SYNTAX_ERROR),
598  errmsg("conflicting or redundant options")));
599  dinherit = defel;
600  }
601  else if (strcmp(defel->defname, "createrole") == 0)
602  {
603  if (dcreaterole)
604  ereport(ERROR,
605  (errcode(ERRCODE_SYNTAX_ERROR),
606  errmsg("conflicting or redundant options")));
607  dcreaterole = defel;
608  }
609  else if (strcmp(defel->defname, "createdb") == 0)
610  {
611  if (dcreatedb)
612  ereport(ERROR,
613  (errcode(ERRCODE_SYNTAX_ERROR),
614  errmsg("conflicting or redundant options")));
615  dcreatedb = defel;
616  }
617  else if (strcmp(defel->defname, "canlogin") == 0)
618  {
619  if (dcanlogin)
620  ereport(ERROR,
621  (errcode(ERRCODE_SYNTAX_ERROR),
622  errmsg("conflicting or redundant options")));
623  dcanlogin = defel;
624  }
625  else if (strcmp(defel->defname, "isreplication") == 0)
626  {
627  if (disreplication)
628  ereport(ERROR,
629  (errcode(ERRCODE_SYNTAX_ERROR),
630  errmsg("conflicting or redundant options")));
631  disreplication = defel;
632  }
633  else if (strcmp(defel->defname, "connectionlimit") == 0)
634  {
635  if (dconnlimit)
636  ereport(ERROR,
637  (errcode(ERRCODE_SYNTAX_ERROR),
638  errmsg("conflicting or redundant options")));
639  dconnlimit = defel;
640  }
641  else if (strcmp(defel->defname, "rolemembers") == 0 &&
642  stmt->action != 0)
643  {
644  if (drolemembers)
645  ereport(ERROR,
646  (errcode(ERRCODE_SYNTAX_ERROR),
647  errmsg("conflicting or redundant options")));
648  drolemembers = defel;
649  }
650  else if (strcmp(defel->defname, "validUntil") == 0)
651  {
652  if (dvalidUntil)
653  ereport(ERROR,
654  (errcode(ERRCODE_SYNTAX_ERROR),
655  errmsg("conflicting or redundant options")));
656  dvalidUntil = defel;
657  }
658  else if (strcmp(defel->defname, "bypassrls") == 0)
659  {
660  if (dbypassRLS)
661  ereport(ERROR,
662  (errcode(ERRCODE_SYNTAX_ERROR),
663  errmsg("conflicting or redundant options")));
664  dbypassRLS = defel;
665  }
666  else
667  elog(ERROR, "option \"%s\" not recognized",
668  defel->defname);
669  }
670 
671  if (dpassword && dpassword->arg)
672  password = strVal(dpassword->arg);
673  if (dissuper)
674  issuper = intVal(dissuper->arg);
675  if (dinherit)
676  inherit = intVal(dinherit->arg);
677  if (dcreaterole)
678  createrole = intVal(dcreaterole->arg);
679  if (dcreatedb)
680  createdb = intVal(dcreatedb->arg);
681  if (dcanlogin)
682  canlogin = intVal(dcanlogin->arg);
683  if (disreplication)
684  isreplication = intVal(disreplication->arg);
685  if (dconnlimit)
686  {
687  connlimit = intVal(dconnlimit->arg);
688  if (connlimit < -1)
689  ereport(ERROR,
690  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
691  errmsg("invalid connection limit: %d", connlimit)));
692  }
693  if (drolemembers)
694  rolemembers = (List *) drolemembers->arg;
695  if (dvalidUntil)
696  validUntil = strVal(dvalidUntil->arg);
697  if (dbypassRLS)
698  bypassrls = intVal(dbypassRLS->arg);
699 
700  /*
701  * Scan the pg_authid relation to be certain the user exists.
702  */
703  pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
704  pg_authid_dsc = RelationGetDescr(pg_authid_rel);
705 
706  tuple = get_rolespec_tuple(stmt->role);
707  authform = (Form_pg_authid) GETSTRUCT(tuple);
708  rolename = pstrdup(NameStr(authform->rolname));
709  roleid = authform->oid;
710 
711  /*
712  * To mess with a superuser you gotta be superuser; else you need
713  * createrole, or just want to change your own password
714  */
715  if (authform->rolsuper || issuper >= 0)
716  {
717  if (!superuser())
718  ereport(ERROR,
719  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
720  errmsg("must be superuser to alter superusers")));
721  }
722  else if (authform->rolreplication || isreplication >= 0)
723  {
724  if (!superuser())
725  ereport(ERROR,
726  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
727  errmsg("must be superuser to alter replication users")));
728  }
729  else if (authform->rolbypassrls || bypassrls >= 0)
730  {
731  if (!superuser())
732  ereport(ERROR,
733  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
734  errmsg("must be superuser to change bypassrls attribute")));
735  }
736  else if (!have_createrole_privilege())
737  {
738  if (!(inherit < 0 &&
739  createrole < 0 &&
740  createdb < 0 &&
741  canlogin < 0 &&
742  isreplication < 0 &&
743  !dconnlimit &&
744  !rolemembers &&
745  !validUntil &&
746  dpassword &&
747  roleid == GetUserId()))
748  ereport(ERROR,
749  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
750  errmsg("permission denied")));
751  }
752 
753  /* Convert validuntil to internal form */
754  if (validUntil)
755  {
756  validUntil_datum = DirectFunctionCall3(timestamptz_in,
757  CStringGetDatum(validUntil),
759  Int32GetDatum(-1));
760  validUntil_null = false;
761  }
762  else
763  {
764  /* fetch existing setting in case hook needs it */
765  validUntil_datum = SysCacheGetAttr(AUTHNAME, tuple,
766  Anum_pg_authid_rolvaliduntil,
767  &validUntil_null);
768  }
769 
770  /*
771  * Call the password checking hook if there is one defined
772  */
773  if (check_password_hook && password)
774  (*check_password_hook) (rolename,
775  password,
776  get_password_type(password),
777  validUntil_datum,
778  validUntil_null);
779 
780  /*
781  * Build an updated tuple, perusing the information just obtained
782  */
783  MemSet(new_record, 0, sizeof(new_record));
784  MemSet(new_record_nulls, false, sizeof(new_record_nulls));
785  MemSet(new_record_repl, false, sizeof(new_record_repl));
786 
787  /*
788  * issuper/createrole/etc
789  */
790  if (issuper >= 0)
791  {
792  new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper > 0);
793  new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
794  }
795 
796  if (inherit >= 0)
797  {
798  new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit > 0);
799  new_record_repl[Anum_pg_authid_rolinherit - 1] = true;
800  }
801 
802  if (createrole >= 0)
803  {
804  new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole > 0);
805  new_record_repl[Anum_pg_authid_rolcreaterole - 1] = true;
806  }
807 
808  if (createdb >= 0)
809  {
810  new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb > 0);
811  new_record_repl[Anum_pg_authid_rolcreatedb - 1] = true;
812  }
813 
814  if (canlogin >= 0)
815  {
816  new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin > 0);
817  new_record_repl[Anum_pg_authid_rolcanlogin - 1] = true;
818  }
819 
820  if (isreplication >= 0)
821  {
822  new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication > 0);
823  new_record_repl[Anum_pg_authid_rolreplication - 1] = true;
824  }
825 
826  if (dconnlimit)
827  {
828  new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
829  new_record_repl[Anum_pg_authid_rolconnlimit - 1] = true;
830  }
831 
832  /* password */
833  if (password)
834  {
835  char *shadow_pass;
836  char *logdetail;
837 
838  /* Like in CREATE USER, don't allow an empty password. */
839  if (password[0] == '\0' ||
840  plain_crypt_verify(rolename, password, "", &logdetail) == STATUS_OK)
841  {
842  ereport(NOTICE,
843  (errmsg("empty string is not a valid password, clearing password")));
844  new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
845  }
846  else
847  {
848  /* Encrypt the password to the requested format. */
849  shadow_pass = encrypt_password(Password_encryption, rolename,
850  password);
851  new_record[Anum_pg_authid_rolpassword - 1] =
852  CStringGetTextDatum(shadow_pass);
853  }
854  new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
855  }
856 
857  /* unset password */
858  if (dpassword && dpassword->arg == NULL)
859  {
860  new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
861  new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
862  }
863 
864  /* valid until */
865  new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
866  new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
867  new_record_repl[Anum_pg_authid_rolvaliduntil - 1] = true;
868 
869  if (bypassrls >= 0)
870  {
871  new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(bypassrls > 0);
872  new_record_repl[Anum_pg_authid_rolbypassrls - 1] = true;
873  }
874 
875  new_tuple = heap_modify_tuple(tuple, pg_authid_dsc, new_record,
876  new_record_nulls, new_record_repl);
877  CatalogTupleUpdate(pg_authid_rel, &tuple->t_self, new_tuple);
878 
879  InvokeObjectPostAlterHook(AuthIdRelationId, roleid, 0);
880 
881  ReleaseSysCache(tuple);
882  heap_freetuple(new_tuple);
883 
884  /*
885  * Advance command counter so we can see new record; else tests in
886  * AddRoleMems may fail.
887  */
888  if (rolemembers)
890 
891  if (stmt->action == +1) /* add members to role */
892  AddRoleMems(rolename, roleid,
893  rolemembers, roleSpecsToIds(rolemembers),
894  GetUserId(), false);
895  else if (stmt->action == -1) /* drop members from role */
896  DelRoleMems(rolename, roleid,
897  rolemembers, roleSpecsToIds(rolemembers),
898  false);
899 
900  /*
901  * Close pg_authid, but keep lock till commit.
902  */
903  table_close(pg_authid_rel, NoLock);
904 
905  return roleid;
906 }
907 
908 
909 /*
910  * ALTER ROLE ... SET
911  */
912 Oid
914 {
915  HeapTuple roletuple;
916  Form_pg_authid roleform;
917  Oid databaseid = InvalidOid;
918  Oid roleid = InvalidOid;
919 
920  if (stmt->role)
921  {
923  "Cannot alter reserved roles.");
924 
925  roletuple = get_rolespec_tuple(stmt->role);
926  roleform = (Form_pg_authid) GETSTRUCT(roletuple);
927  roleid = roleform->oid;
928 
929  /*
930  * Obtain a lock on the role and make sure it didn't go away in the
931  * meantime.
932  */
933  shdepLockAndCheckObject(AuthIdRelationId, roleid);
934 
935  /*
936  * To mess with a superuser you gotta be superuser; else you need
937  * createrole, or just want to change your own settings
938  */
939  if (roleform->rolsuper)
940  {
941  if (!superuser())
942  ereport(ERROR,
943  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
944  errmsg("must be superuser to alter superusers")));
945  }
946  else
947  {
948  if (!have_createrole_privilege() && roleid != GetUserId())
949  ereport(ERROR,
950  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
951  errmsg("permission denied")));
952  }
953 
954  ReleaseSysCache(roletuple);
955  }
956 
957  /* look up and lock the database, if specified */
958  if (stmt->database != NULL)
959  {
960  databaseid = get_database_oid(stmt->database, false);
961  shdepLockAndCheckObject(DatabaseRelationId, databaseid);
962 
963  if (!stmt->role)
964  {
965  /*
966  * If no role is specified, then this is effectively the same as
967  * ALTER DATABASE ... SET, so use the same permission check.
968  */
969  if (!pg_database_ownercheck(databaseid, GetUserId()))
971  stmt->database);
972  }
973  }
974 
975  if (!stmt->role && !stmt->database)
976  {
977  /* Must be superuser to alter settings globally. */
978  if (!superuser())
979  ereport(ERROR,
980  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
981  errmsg("must be superuser to alter settings globally")));
982  }
983 
984  AlterSetting(databaseid, roleid, stmt->setstmt);
985 
986  return roleid;
987 }
988 
989 
990 /*
991  * DROP ROLE
992  */
993 void
995 {
996  Relation pg_authid_rel,
997  pg_auth_members_rel;
998  ListCell *item;
999 
1001  ereport(ERROR,
1002  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1003  errmsg("permission denied to drop role")));
1004 
1005  /*
1006  * Scan the pg_authid relation to find the Oid of the role(s) to be
1007  * deleted.
1008  */
1009  pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
1010  pg_auth_members_rel = table_open(AuthMemRelationId, RowExclusiveLock);
1011 
1012  foreach(item, stmt->roles)
1013  {
1014  RoleSpec *rolspec = lfirst(item);
1015  char *role;
1016  HeapTuple tuple,
1017  tmp_tuple;
1018  Form_pg_authid roleform;
1019  ScanKeyData scankey;
1020  char *detail;
1021  char *detail_log;
1022  SysScanDesc sscan;
1023  Oid roleid;
1024 
1025  if (rolspec->roletype != ROLESPEC_CSTRING)
1026  ereport(ERROR,
1027  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1028  errmsg("cannot use special role specifier in DROP ROLE")));
1029  role = rolspec->rolename;
1030 
1031  tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
1032  if (!HeapTupleIsValid(tuple))
1033  {
1034  if (!stmt->missing_ok)
1035  {
1036  ereport(ERROR,
1037  (errcode(ERRCODE_UNDEFINED_OBJECT),
1038  errmsg("role \"%s\" does not exist", role)));
1039  }
1040  else
1041  {
1042  ereport(NOTICE,
1043  (errmsg("role \"%s\" does not exist, skipping",
1044  role)));
1045  }
1046 
1047  continue;
1048  }
1049 
1050  roleform = (Form_pg_authid) GETSTRUCT(tuple);
1051  roleid = roleform->oid;
1052 
1053  if (roleid == GetUserId())
1054  ereport(ERROR,
1055  (errcode(ERRCODE_OBJECT_IN_USE),
1056  errmsg("current user cannot be dropped")));
1057  if (roleid == GetOuterUserId())
1058  ereport(ERROR,
1059  (errcode(ERRCODE_OBJECT_IN_USE),
1060  errmsg("current user cannot be dropped")));
1061  if (roleid == GetSessionUserId())
1062  ereport(ERROR,
1063  (errcode(ERRCODE_OBJECT_IN_USE),
1064  errmsg("session user cannot be dropped")));
1065 
1066  /*
1067  * For safety's sake, we allow createrole holders to drop ordinary
1068  * roles but not superuser roles. This is mainly to avoid the
1069  * scenario where you accidentally drop the last superuser.
1070  */
1071  if (roleform->rolsuper && !superuser())
1072  ereport(ERROR,
1073  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1074  errmsg("must be superuser to drop superusers")));
1075 
1076  /* DROP hook for the role being removed */
1077  InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
1078 
1079  /*
1080  * Lock the role, so nobody can add dependencies to her while we drop
1081  * her. We keep the lock until the end of transaction.
1082  */
1083  LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock);
1084 
1085  /* Check for pg_shdepend entries depending on this role */
1086  if (checkSharedDependencies(AuthIdRelationId, roleid,
1087  &detail, &detail_log))
1088  ereport(ERROR,
1089  (errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
1090  errmsg("role \"%s\" cannot be dropped because some objects depend on it",
1091  role),
1092  errdetail_internal("%s", detail),
1093  errdetail_log("%s", detail_log)));
1094 
1095  /*
1096  * Remove the role from the pg_authid table
1097  */
1098  CatalogTupleDelete(pg_authid_rel, &tuple->t_self);
1099 
1100  ReleaseSysCache(tuple);
1101 
1102  /*
1103  * Remove role from the pg_auth_members table. We have to remove all
1104  * tuples that show it as either a role or a member.
1105  *
1106  * XXX what about grantor entries? Maybe we should do one heap scan.
1107  */
1108  ScanKeyInit(&scankey,
1109  Anum_pg_auth_members_roleid,
1110  BTEqualStrategyNumber, F_OIDEQ,
1111  ObjectIdGetDatum(roleid));
1112 
1113  sscan = systable_beginscan(pg_auth_members_rel, AuthMemRoleMemIndexId,
1114  true, NULL, 1, &scankey);
1115 
1116  while (HeapTupleIsValid(tmp_tuple = systable_getnext(sscan)))
1117  {
1118  CatalogTupleDelete(pg_auth_members_rel, &tmp_tuple->t_self);
1119  }
1120 
1121  systable_endscan(sscan);
1122 
1123  ScanKeyInit(&scankey,
1124  Anum_pg_auth_members_member,
1125  BTEqualStrategyNumber, F_OIDEQ,
1126  ObjectIdGetDatum(roleid));
1127 
1128  sscan = systable_beginscan(pg_auth_members_rel, AuthMemMemRoleIndexId,
1129  true, NULL, 1, &scankey);
1130 
1131  while (HeapTupleIsValid(tmp_tuple = systable_getnext(sscan)))
1132  {
1133  CatalogTupleDelete(pg_auth_members_rel, &tmp_tuple->t_self);
1134  }
1135 
1136  systable_endscan(sscan);
1137 
1138  /*
1139  * Remove any comments or security labels on this role.
1140  */
1141  DeleteSharedComments(roleid, AuthIdRelationId);
1142  DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
1143 
1144  /*
1145  * Remove settings for this role.
1146  */
1147  DropSetting(InvalidOid, roleid);
1148 
1149  /*
1150  * Advance command counter so that later iterations of this loop will
1151  * see the changes already made. This is essential if, for example,
1152  * we are trying to drop both a role and one of its direct members ---
1153  * we'll get an error if we try to delete the linking pg_auth_members
1154  * tuple twice. (We do not need a CCI between the two delete loops
1155  * above, because it's not allowed for a role to directly contain
1156  * itself.)
1157  */
1159  }
1160 
1161  /*
1162  * Now we can clean up; but keep locks until commit.
1163  */
1164  table_close(pg_auth_members_rel, NoLock);
1165  table_close(pg_authid_rel, NoLock);
1166 }
1167 
1168 /*
1169  * Rename role
1170  */
1172 RenameRole(const char *oldname, const char *newname)
1173 {
1174  HeapTuple oldtuple,
1175  newtuple;
1176  TupleDesc dsc;
1177  Relation rel;
1178  Datum datum;
1179  bool isnull;
1180  Datum repl_val[Natts_pg_authid];
1181  bool repl_null[Natts_pg_authid];
1182  bool repl_repl[Natts_pg_authid];
1183  int i;
1184  Oid roleid;
1185  ObjectAddress address;
1186  Form_pg_authid authform;
1187 
1188  rel = table_open(AuthIdRelationId, RowExclusiveLock);
1189  dsc = RelationGetDescr(rel);
1190 
1191  oldtuple = SearchSysCache1(AUTHNAME, CStringGetDatum(oldname));
1192  if (!HeapTupleIsValid(oldtuple))
1193  ereport(ERROR,
1194  (errcode(ERRCODE_UNDEFINED_OBJECT),
1195  errmsg("role \"%s\" does not exist", oldname)));
1196 
1197  /*
1198  * XXX Client applications probably store the session user somewhere, so
1199  * renaming it could cause confusion. On the other hand, there may not be
1200  * an actual problem besides a little confusion, so think about this and
1201  * decide. Same for SET ROLE ... we don't restrict renaming the current
1202  * effective userid, though.
1203  */
1204 
1205  authform = (Form_pg_authid) GETSTRUCT(oldtuple);
1206  roleid = authform->oid;
1207 
1208  if (roleid == GetSessionUserId())
1209  ereport(ERROR,
1210  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1211  errmsg("session user cannot be renamed")));
1212  if (roleid == GetOuterUserId())
1213  ereport(ERROR,
1214  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1215  errmsg("current user cannot be renamed")));
1216 
1217  /*
1218  * Check that the user is not trying to rename a system role and not
1219  * trying to rename a role into the reserved "pg_" namespace.
1220  */
1221  if (IsReservedName(NameStr(authform->rolname)))
1222  ereport(ERROR,
1223  (errcode(ERRCODE_RESERVED_NAME),
1224  errmsg("role name \"%s\" is reserved",
1225  NameStr(authform->rolname)),
1226  errdetail("Role names starting with \"pg_\" are reserved.")));
1227 
1228  if (IsReservedName(newname))
1229  ereport(ERROR,
1230  (errcode(ERRCODE_RESERVED_NAME),
1231  errmsg("role name \"%s\" is reserved",
1232  newname),
1233  errdetail("Role names starting with \"pg_\" are reserved.")));
1234 
1235  /*
1236  * If built with appropriate switch, whine when regression-testing
1237  * conventions for role names are violated.
1238  */
1239 #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
1240  if (strncmp(newname, "regress_", 8) != 0)
1241  elog(WARNING, "roles created by regression test cases should have names starting with \"regress_\"");
1242 #endif
1243 
1244  /* make sure the new name doesn't exist */
1246  ereport(ERROR,
1248  errmsg("role \"%s\" already exists", newname)));
1249 
1250  /*
1251  * createrole is enough privilege unless you want to mess with a superuser
1252  */
1253  if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
1254  {
1255  if (!superuser())
1256  ereport(ERROR,
1257  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1258  errmsg("must be superuser to rename superusers")));
1259  }
1260  else
1261  {
1263  ereport(ERROR,
1264  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1265  errmsg("permission denied to rename role")));
1266  }
1267 
1268  /* OK, construct the modified tuple */
1269  for (i = 0; i < Natts_pg_authid; i++)
1270  repl_repl[i] = false;
1271 
1272  repl_repl[Anum_pg_authid_rolname - 1] = true;
1273  repl_val[Anum_pg_authid_rolname - 1] = DirectFunctionCall1(namein,
1274  CStringGetDatum(newname));
1275  repl_null[Anum_pg_authid_rolname - 1] = false;
1276 
1277  datum = heap_getattr(oldtuple, Anum_pg_authid_rolpassword, dsc, &isnull);
1278 
1279  if (!isnull && get_password_type(TextDatumGetCString(datum)) == PASSWORD_TYPE_MD5)
1280  {
1281  /* MD5 uses the username as salt, so just clear it on a rename */
1282  repl_repl[Anum_pg_authid_rolpassword - 1] = true;
1283  repl_null[Anum_pg_authid_rolpassword - 1] = true;
1284 
1285  ereport(NOTICE,
1286  (errmsg("MD5 password cleared because of role rename")));
1287  }
1288 
1289  newtuple = heap_modify_tuple(oldtuple, dsc, repl_val, repl_null, repl_repl);
1290  CatalogTupleUpdate(rel, &oldtuple->t_self, newtuple);
1291 
1292  InvokeObjectPostAlterHook(AuthIdRelationId, roleid, 0);
1293 
1294  ObjectAddressSet(address, AuthIdRelationId, roleid);
1295 
1296  ReleaseSysCache(oldtuple);
1297 
1298  /*
1299  * Close pg_authid, but keep lock till commit.
1300  */
1301  table_close(rel, NoLock);
1302 
1303  return address;
1304 }
1305 
1306 /*
1307  * GrantRoleStmt
1308  *
1309  * Grant/Revoke roles to/from roles
1310  */
1311 void
1313 {
1314  Relation pg_authid_rel;
1315  Oid grantor;
1316  List *grantee_ids;
1317  ListCell *item;
1318 
1319  if (stmt->grantor)
1320  grantor = get_rolespec_oid(stmt->grantor, false);
1321  else
1322  grantor = GetUserId();
1323 
1324  grantee_ids = roleSpecsToIds(stmt->grantee_roles);
1325 
1326  /* AccessShareLock is enough since we aren't modifying pg_authid */
1327  pg_authid_rel = table_open(AuthIdRelationId, AccessShareLock);
1328 
1329  /*
1330  * Step through all of the granted roles and add/remove entries for the
1331  * grantees, or, if admin_opt is set, then just add/remove the admin
1332  * option.
1333  *
1334  * Note: Permissions checking is done by AddRoleMems/DelRoleMems
1335  */
1336  foreach(item, stmt->granted_roles)
1337  {
1338  AccessPriv *priv = (AccessPriv *) lfirst(item);
1339  char *rolename = priv->priv_name;
1340  Oid roleid;
1341 
1342  /* Must reject priv(columns) and ALL PRIVILEGES(columns) */
1343  if (rolename == NULL || priv->cols != NIL)
1344  ereport(ERROR,
1345  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1346  errmsg("column names cannot be included in GRANT/REVOKE ROLE")));
1347 
1348  roleid = get_role_oid(rolename, false);
1349  if (stmt->is_grant)
1350  AddRoleMems(rolename, roleid,
1351  stmt->grantee_roles, grantee_ids,
1352  grantor, stmt->admin_opt);
1353  else
1354  DelRoleMems(rolename, roleid,
1355  stmt->grantee_roles, grantee_ids,
1356  stmt->admin_opt);
1357  }
1358 
1359  /*
1360  * Close pg_authid, but keep lock till commit.
1361  */
1362  table_close(pg_authid_rel, NoLock);
1363 }
1364 
1365 /*
1366  * DropOwnedObjects
1367  *
1368  * Drop the objects owned by a given list of roles.
1369  */
1370 void
1372 {
1373  List *role_ids = roleSpecsToIds(stmt->roles);
1374  ListCell *cell;
1375 
1376  /* Check privileges */
1377  foreach(cell, role_ids)
1378  {
1379  Oid roleid = lfirst_oid(cell);
1380 
1381  if (!has_privs_of_role(GetUserId(), roleid))
1382  ereport(ERROR,
1383  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1384  errmsg("permission denied to drop objects")));
1385  }
1386 
1387  /* Ok, do it */
1388  shdepDropOwned(role_ids, stmt->behavior);
1389 }
1390 
1391 /*
1392  * ReassignOwnedObjects
1393  *
1394  * Give the objects owned by a given list of roles away to another user.
1395  */
1396 void
1398 {
1399  List *role_ids = roleSpecsToIds(stmt->roles);
1400  ListCell *cell;
1401  Oid newrole;
1402 
1403  /* Check privileges */
1404  foreach(cell, role_ids)
1405  {
1406  Oid roleid = lfirst_oid(cell);
1407 
1408  if (!has_privs_of_role(GetUserId(), roleid))
1409  ereport(ERROR,
1410  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1411  errmsg("permission denied to reassign objects")));
1412  }
1413 
1414  /* Must have privileges on the receiving side too */
1415  newrole = get_rolespec_oid(stmt->newrole, false);
1416 
1417  if (!has_privs_of_role(GetUserId(), newrole))
1418  ereport(ERROR,
1419  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1420  errmsg("permission denied to reassign objects")));
1421 
1422  /* Ok, do it */
1423  shdepReassignOwned(role_ids, newrole);
1424 }
1425 
1426 /*
1427  * roleSpecsToIds
1428  *
1429  * Given a list of RoleSpecs, generate a list of role OIDs in the same order.
1430  *
1431  * ROLESPEC_PUBLIC is not allowed.
1432  */
1433 List *
1434 roleSpecsToIds(List *memberNames)
1435 {
1436  List *result = NIL;
1437  ListCell *l;
1438 
1439  foreach(l, memberNames)
1440  {
1441  RoleSpec *rolespec = lfirst_node(RoleSpec, l);
1442  Oid roleid;
1443 
1444  roleid = get_rolespec_oid(rolespec, false);
1445  result = lappend_oid(result, roleid);
1446  }
1447  return result;
1448 }
1449 
1450 /*
1451  * AddRoleMems -- Add given members to the specified role
1452  *
1453  * rolename: name of role to add to (used only for error messages)
1454  * roleid: OID of role to add to
1455  * memberSpecs: list of RoleSpec of roles to add (used only for error messages)
1456  * memberIds: OIDs of roles to add
1457  * grantorId: who is granting the membership
1458  * admin_opt: granting admin option?
1459  */
1460 static void
1461 AddRoleMems(const char *rolename, Oid roleid,
1462  List *memberSpecs, List *memberIds,
1463  Oid grantorId, bool admin_opt)
1464 {
1465  Relation pg_authmem_rel;
1466  TupleDesc pg_authmem_dsc;
1467  ListCell *specitem;
1468  ListCell *iditem;
1469 
1470  Assert(list_length(memberSpecs) == list_length(memberIds));
1471 
1472  /* Skip permission check if nothing to do */
1473  if (!memberIds)
1474  return;
1475 
1476  /*
1477  * Check permissions: must have createrole or admin option on the role to
1478  * be changed. To mess with a superuser role, you gotta be superuser.
1479  */
1480  if (superuser_arg(roleid))
1481  {
1482  if (!superuser())
1483  ereport(ERROR,
1484  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1485  errmsg("must be superuser to alter superusers")));
1486  }
1487  else
1488  {
1489  if (!have_createrole_privilege() &&
1490  !is_admin_of_role(grantorId, roleid))
1491  ereport(ERROR,
1492  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1493  errmsg("must have admin option on role \"%s\"",
1494  rolename)));
1495  }
1496 
1497  /*
1498  * The role membership grantor of record has little significance at
1499  * present. Nonetheless, inasmuch as users might look to it for a crude
1500  * audit trail, let only superusers impute the grant to a third party.
1501  *
1502  * Before lifting this restriction, give the member == role case of
1503  * is_admin_of_role() a fresh look. Ensure that the current role cannot
1504  * use an explicit grantor specification to take advantage of the session
1505  * user's self-admin right.
1506  */
1507  if (grantorId != GetUserId() && !superuser())
1508  ereport(ERROR,
1509  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1510  errmsg("must be superuser to set grantor")));
1511 
1512  pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
1513  pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
1514 
1515  forboth(specitem, memberSpecs, iditem, memberIds)
1516  {
1517  RoleSpec *memberRole = lfirst_node(RoleSpec, specitem);
1518  Oid memberid = lfirst_oid(iditem);
1519  HeapTuple authmem_tuple;
1520  HeapTuple tuple;
1521  Datum new_record[Natts_pg_auth_members];
1522  bool new_record_nulls[Natts_pg_auth_members];
1523  bool new_record_repl[Natts_pg_auth_members];
1524 
1525  /*
1526  * Refuse creation of membership loops, including the trivial case
1527  * where a role is made a member of itself. We do this by checking to
1528  * see if the target role is already a member of the proposed member
1529  * role. We have to ignore possible superuserness, however, else we
1530  * could never grant membership in a superuser-privileged role.
1531  */
1532  if (is_member_of_role_nosuper(roleid, memberid))
1533  ereport(ERROR,
1534  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1535  errmsg("role \"%s\" is a member of role \"%s\"",
1536  rolename, get_rolespec_name(memberRole))));
1537 
1538  /*
1539  * Check if entry for this role/member already exists; if so, give
1540  * warning unless we are adding admin option.
1541  */
1542  authmem_tuple = SearchSysCache2(AUTHMEMROLEMEM,
1543  ObjectIdGetDatum(roleid),
1544  ObjectIdGetDatum(memberid));
1545  if (HeapTupleIsValid(authmem_tuple) &&
1546  (!admin_opt ||
1547  ((Form_pg_auth_members) GETSTRUCT(authmem_tuple))->admin_option))
1548  {
1549  ereport(NOTICE,
1550  (errmsg("role \"%s\" is already a member of role \"%s\"",
1551  get_rolespec_name(memberRole), rolename)));
1552  ReleaseSysCache(authmem_tuple);
1553  continue;
1554  }
1555 
1556  /* Build a tuple to insert or update */
1557  MemSet(new_record, 0, sizeof(new_record));
1558  MemSet(new_record_nulls, false, sizeof(new_record_nulls));
1559  MemSet(new_record_repl, false, sizeof(new_record_repl));
1560 
1561  new_record[Anum_pg_auth_members_roleid - 1] = ObjectIdGetDatum(roleid);
1562  new_record[Anum_pg_auth_members_member - 1] = ObjectIdGetDatum(memberid);
1563  new_record[Anum_pg_auth_members_grantor - 1] = ObjectIdGetDatum(grantorId);
1564  new_record[Anum_pg_auth_members_admin_option - 1] = BoolGetDatum(admin_opt);
1565 
1566  if (HeapTupleIsValid(authmem_tuple))
1567  {
1568  new_record_repl[Anum_pg_auth_members_grantor - 1] = true;
1569  new_record_repl[Anum_pg_auth_members_admin_option - 1] = true;
1570  tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
1571  new_record,
1572  new_record_nulls, new_record_repl);
1573  CatalogTupleUpdate(pg_authmem_rel, &tuple->t_self, tuple);
1574  ReleaseSysCache(authmem_tuple);
1575  }
1576  else
1577  {
1578  tuple = heap_form_tuple(pg_authmem_dsc,
1579  new_record, new_record_nulls);
1580  CatalogTupleInsert(pg_authmem_rel, tuple);
1581  }
1582 
1583  /* CCI after each change, in case there are duplicates in list */
1585  }
1586 
1587  /*
1588  * Close pg_authmem, but keep lock till commit.
1589  */
1590  table_close(pg_authmem_rel, NoLock);
1591 }
1592 
1593 /*
1594  * DelRoleMems -- Remove given members from the specified role
1595  *
1596  * rolename: name of role to del from (used only for error messages)
1597  * roleid: OID of role to del from
1598  * memberSpecs: list of RoleSpec of roles to del (used only for error messages)
1599  * memberIds: OIDs of roles to del
1600  * admin_opt: remove admin option only?
1601  */
1602 static void
1603 DelRoleMems(const char *rolename, Oid roleid,
1604  List *memberSpecs, List *memberIds,
1605  bool admin_opt)
1606 {
1607  Relation pg_authmem_rel;
1608  TupleDesc pg_authmem_dsc;
1609  ListCell *specitem;
1610  ListCell *iditem;
1611 
1612  Assert(list_length(memberSpecs) == list_length(memberIds));
1613 
1614  /* Skip permission check if nothing to do */
1615  if (!memberIds)
1616  return;
1617 
1618  /*
1619  * Check permissions: must have createrole or admin option on the role to
1620  * be changed. To mess with a superuser role, you gotta be superuser.
1621  */
1622  if (superuser_arg(roleid))
1623  {
1624  if (!superuser())
1625  ereport(ERROR,
1626  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1627  errmsg("must be superuser to alter superusers")));
1628  }
1629  else
1630  {
1631  if (!have_createrole_privilege() &&
1632  !is_admin_of_role(GetUserId(), roleid))
1633  ereport(ERROR,
1634  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1635  errmsg("must have admin option on role \"%s\"",
1636  rolename)));
1637  }
1638 
1639  pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
1640  pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
1641 
1642  forboth(specitem, memberSpecs, iditem, memberIds)
1643  {
1644  RoleSpec *memberRole = lfirst(specitem);
1645  Oid memberid = lfirst_oid(iditem);
1646  HeapTuple authmem_tuple;
1647 
1648  /*
1649  * Find entry for this role/member
1650  */
1651  authmem_tuple = SearchSysCache2(AUTHMEMROLEMEM,
1652  ObjectIdGetDatum(roleid),
1653  ObjectIdGetDatum(memberid));
1654  if (!HeapTupleIsValid(authmem_tuple))
1655  {
1656  ereport(WARNING,
1657  (errmsg("role \"%s\" is not a member of role \"%s\"",
1658  get_rolespec_name(memberRole), rolename)));
1659  continue;
1660  }
1661 
1662  if (!admin_opt)
1663  {
1664  /* Remove the entry altogether */
1665  CatalogTupleDelete(pg_authmem_rel, &authmem_tuple->t_self);
1666  }
1667  else
1668  {
1669  /* Just turn off the admin option */
1670  HeapTuple tuple;
1671  Datum new_record[Natts_pg_auth_members];
1672  bool new_record_nulls[Natts_pg_auth_members];
1673  bool new_record_repl[Natts_pg_auth_members];
1674 
1675  /* Build a tuple to update with */
1676  MemSet(new_record, 0, sizeof(new_record));
1677  MemSet(new_record_nulls, false, sizeof(new_record_nulls));
1678  MemSet(new_record_repl, false, sizeof(new_record_repl));
1679 
1680  new_record[Anum_pg_auth_members_admin_option - 1] = BoolGetDatum(false);
1681  new_record_repl[Anum_pg_auth_members_admin_option - 1] = true;
1682 
1683  tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
1684  new_record,
1685  new_record_nulls, new_record_repl);
1686  CatalogTupleUpdate(pg_authmem_rel, &tuple->t_self, tuple);
1687  }
1688 
1689  ReleaseSysCache(authmem_tuple);
1690 
1691  /* CCI after each change, in case there are duplicates in list */
1693  }
1694 
1695  /*
1696  * Close pg_authmem, but keep lock till commit.
1697  */
1698  table_close(pg_authmem_rel, NoLock);
1699 }
bool has_createrole_privilege(Oid roleid)
Definition: aclchk.c:5312
#define NIL
Definition: pg_list.h:65
Oid GetNewOidWithIndex(Relation relation, Oid indexId, AttrNumber oidcolumn)
Definition: catalog.c:317
RoleSpec * role
Definition: parsenodes.h:2519
void shdepDropOwned(List *roleids, DropBehavior behavior)
Definition: pg_shdepend.c:1285
Datum namein(PG_FUNCTION_ARGS)
Definition: name.c:48
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
#define forboth(cell1, list1, cell2, list2)
Definition: pg_list.h:419
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:569
#define GETSTRUCT(TUP)
Definition: htup_details.h:655
Oid binary_upgrade_next_pg_authid_oid
Definition: user.c:42
#define InvokeObjectPostCreateHook(classId, objectId, subId)
Definition: objectaccess.h:151
#define RelationGetDescr(relation)
Definition: rel.h:482
Oid GetUserId(void)
Definition: miscinit.c:476
int Password_encryption
Definition: user.c:46
#define PointerGetDatum(X)
Definition: postgres.h:556
RoleStmtType stmt_type
Definition: parsenodes.h:2511
char * pstrdup(const char *in)
Definition: mcxt.c:1187
void DropOwnedObjects(DropOwnedStmt *stmt)
Definition: user.c:1371
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4892
void AlterSetting(Oid databaseid, Oid roleid, VariableSetStmt *setstmt)
#define InvokeObjectDropHook(classId, objectId, subId)
Definition: objectaccess.h:160
char * encrypt_password(PasswordType target_type, const char *role, const char *password)
Definition: crypt.c:114
bool is_admin_of_role(Oid member, Oid role)
Definition: acl.c:4974
#define AccessShareLock
Definition: lockdefs.h:36
int plain_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, char **logdetail)
Definition: crypt.c:222
#define strVal(v)
Definition: value.h:54
int errcode(int sqlerrcode)
Definition: elog.c:610
bool superuser(void)
Definition: superuser.c:46
#define MemSet(start, val, len)
Definition: c.h:949
List * granted_roles
Definition: parsenodes.h:1982
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
Definition: indexing.c:350
RoleSpec * role
Definition: parsenodes.h:2527
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: heaptuple.c:1020
List * roles
Definition: parsenodes.h:2535
List * cols
Definition: parsenodes.h:1967
#define DirectFunctionCall1(func, arg1)
Definition: fmgr.h:624
#define AuthIdOidIndexId
Definition: indexing.h:112
void heap_freetuple(HeapTuple htup)
Definition: heaptuple.c:1338
unsigned int Oid
Definition: postgres_ext.h:31
bool IsReservedName(const char *name)
Definition: catalog.c:212
List * lappend_oid(List *list, Oid datum)
Definition: list.c:357
#define OidIsValid(objectId)
Definition: c.h:651
void(* check_password_hook_type)(const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null)
Definition: user.h:23
Oid GetSessionUserId(void)
Definition: miscinit.c:510
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:357
bool IsBinaryUpgrade
Definition: globals.c:110
Oid CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
Definition: user.c:71
int errdetail_internal(const char *fmt,...)
Definition: elog.c:984
Oid get_role_oid(const char *rolname, bool missing_ok)
Definition: acl.c:5175
#define list_make1(x1)
Definition: pg_list.h:227
Oid grantor
FormData_pg_authid * Form_pg_authid
Definition: pg_authid.h:56
void aclcheck_error(AclResult aclerr, ObjectType objtype, const char *objectname)
Definition: aclchk.c:3294
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:476
#define SearchSysCacheExists1(cacheId, key1)
Definition: syscache.h:183
Oid GetOuterUserId(void)
Definition: miscinit.c:487
#define ObjectIdGetDatum(X)
Definition: postgres.h:507
#define ERROR
Definition: elog.h:43
void GrantRole(GrantRoleStmt *stmt)
Definition: user.c:1312
static void AddRoleMems(const char *rolename, Oid roleid, List *memberSpecs, List *memberIds, Oid grantorId, bool admin_opt)
Definition: user.c:1461
void shdepLockAndCheckObject(Oid classId, Oid objectId)
Definition: pg_shdepend.c:1109
ItemPointerData t_self
Definition: htup.h:65
#define lfirst_node(type, lc)
Definition: pg_list.h:193
#define NoLock
Definition: lockdefs.h:34
void shdepReassignOwned(List *roleids, Oid newrole)
Definition: pg_shdepend.c:1439
int location
Definition: parsenodes.h:736
#define RowExclusiveLock
Definition: lockdefs.h:38
int errdetail(const char *fmt,...)
Definition: elog.c:957
#define CStringGetDatum(X)
Definition: postgres.h:578
int errdetail_log(const char *fmt,...)
Definition: elog.c:1005
static char * password
Definition: streamutil.c:53
DropBehavior behavior
Definition: parsenodes.h:3464
#define STATUS_OK
Definition: c.h:1111
#define InvokeObjectPostAlterHook(classId, objectId, subId)
Definition: objectaccess.h:175
RoleSpec * grantor
Definition: parsenodes.h:1986
bool pg_database_ownercheck(Oid db_oid, Oid roleid)
Definition: aclchk.c:5105
bool superuser_arg(Oid roleid)
Definition: superuser.c:56
#define DirectFunctionCall3(func, arg1, arg2, arg3)
Definition: fmgr.h:628
Node * arg
Definition: parsenodes.h:734
char * get_rolespec_name(const RoleSpec *role)
Definition: acl.c:5294
int location
Definition: parsenodes.h:332
#define AuthMemRoleMemIndexId
Definition: indexing.h:115
#define WARNING
Definition: elog.h:40
Oid AlterRole(AlterRoleStmt *stmt)
Definition: user.c:531
#define heap_getattr(tup, attnum, tupleDesc, isnull)
Definition: htup_details.h:762
HeapTuple SearchSysCache1(int cacheId, Datum key1)
Definition: syscache.c:1116
#define TextDatumGetCString(d)
Definition: builtins.h:87
uintptr_t Datum
Definition: postgres.h:367
void CommandCounterIncrement(void)
Definition: xact.c:1021
void check_rolespec_name(const RoleSpec *role, const char *detail_msg)
Definition: acl.c:5316
void ReleaseSysCache(HeapTuple tuple)
Definition: syscache.c:1164
RoleSpecType roletype
Definition: parsenodes.h:330
Oid AlterRoleSet(AlterRoleSetStmt *stmt)
Definition: user.c:913
Datum SysCacheGetAttr(int cacheId, HeapTuple tup, AttrNumber attributeNumber, bool *isNull)
Definition: syscache.c:1377
#define list_make1_oid(x1)
Definition: pg_list.h:249
Oid get_rolespec_oid(const RoleSpec *role, bool missing_ok)
Definition: acl.c:5209
FormData_pg_auth_members * Form_pg_auth_members
void LockSharedObject(Oid classid, Oid objid, uint16 objsubid, LOCKMODE lockmode)
Definition: lmgr.c:1017
VariableSetStmt * setstmt
Definition: parsenodes.h:2529
bool admin_option
#define BoolGetDatum(X)
Definition: postgres.h:402
Oid get_database_oid(const char *dbname, bool missing_ok)
Definition: dbcommands.c:2108
#define InvalidOid
Definition: postgres_ext.h:36
ObjectAddress RenameRole(const char *oldname, const char *newname)
Definition: user.c:1172
#define ereport(elevel,...)
Definition: elog.h:144
#define NOTICE
Definition: elog.h:37
List * roleSpecsToIds(List *memberNames)
Definition: user.c:1434
#define makeNode(_type_)
Definition: nodes.h:577
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define Assert(condition)
Definition: c.h:745
#define lfirst(lc)
Definition: pg_list.h:190
void DeleteSharedComments(Oid oid, Oid classoid)
Definition: comment.c:373
List * options
Definition: parsenodes.h:2520
#define AuthMemMemRoleIndexId
Definition: indexing.h:117
HeapTuple get_rolespec_tuple(const RoleSpec *role)
Definition: acl.c:5248
void CatalogTupleUpdate(Relation heapRel, ItemPointer otid, HeapTuple tup)
Definition: indexing.c:301
static int list_length(const List *l)
Definition: pg_list.h:169
int parser_errposition(ParseState *pstate, int location)
Definition: parse_node.c:110
RoleSpec * newrole
Definition: parsenodes.h:3474
HeapTuple SearchSysCache2(int cacheId, Datum key1, Datum key2)
Definition: syscache.c:1127
char * rolename
Definition: parsenodes.h:331
#define ObjectAddressSet(addr, class_id, object_id)
Definition: objectaddress.h:40
void DeleteSharedSecurityLabel(Oid objectId, Oid classId)
Definition: seclabel.c:488
#define AccessExclusiveLock
Definition: lockdefs.h:45
#define Int32GetDatum(X)
Definition: postgres.h:479
bool is_member_of_role_nosuper(Oid member, Oid role)
Definition: acl.c:4954
Datum timestamptz_in(PG_FUNCTION_ARGS)
Definition: timestamp.c:401
#define intVal(v)
Definition: value.h:52
Oid createdb(ParseState *pstate, const CreatedbStmt *stmt)
Definition: dbcommands.c:100
int errmsg(const char *fmt,...)
Definition: elog.c:824
PasswordType get_password_type(const char *shadow_pass)
Definition: crypt.c:89
#define elog(elevel,...)
Definition: elog.h:214
void ReassignOwnedObjects(ReassignOwnedStmt *stmt)
Definition: user.c:1397
static bool have_createrole_privilege(void)
Definition: user.c:61
int i
#define NameStr(name)
Definition: c.h:622
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define CStringGetTextDatum(s)
Definition: builtins.h:86
void DropRole(DropRoleStmt *stmt)
Definition: user.c:994
char * defname
Definition: parsenodes.h:733
List * grantee_roles
Definition: parsenodes.h:1983
bool checkSharedDependencies(Oid classId, Oid objectId, char **detail_msg, char **detail_log_msg)
Definition: pg_shdepend.c:577
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
HeapTuple heap_modify_tuple(HeapTuple tuple, TupleDesc tupleDesc, Datum *replValues, bool *replIsnull, bool *doReplace)
Definition: heaptuple.c:1113
check_password_hook_type check_password_hook
Definition: user.c:49
void DropSetting(Oid databaseid, Oid roleid)
#define ERRCODE_DUPLICATE_OBJECT
Definition: streamutil.c:32
Definition: pg_list.h:50
void CatalogTupleInsert(Relation heapRel, HeapTuple tup)
Definition: indexing.c:221
#define BTEqualStrategyNumber
Definition: stratnum.h:31
char * priv_name
Definition: parsenodes.h:1966
#define lfirst_oid(lc)
Definition: pg_list.h:192
static void DelRoleMems(const char *rolename, Oid roleid, List *memberSpecs, List *memberIds, bool admin_opt)
Definition: user.c:1603